Security Experts Pull Out of RSA Conference in NSA Protest

At least six speakers have withdrawn from the February 2014 RSA Conference,one of the top cybersecurity events of the year, in protest over allegations that EMC’s RSA security division accepted $10 million to essentially create a backdoor in one of its products.

Mikko Hyppönen, chief research officer for the Helsinki-based security firm F-Secure; Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union; Josh Thomas, a partner at Atredis Partners; and Jeffrey Carr, chief executive of Taia Global, were among the speakers to take to social media to express their displeasure over allegations first revealed in a Dec. 20 story by Reuters’s Joseph Menn.

“You can’t get much worse than this, in terms of a security company betraying its customers,” Carr told CIO Journal. Carr, who also founded his own conference called Suits and Spooks, withdrew from the conference on Jan. 3.

Hyppönen was the first speaker to pull out of the conference on Dec. 23. Since then, others have joined him. “I’ve given up waiting for RSA to fess up to the truth” regarding NSA and withdrew from the conference, Soghoian wrote Tuesday in a Twitter message.

I’ve given up waiting for RSA to fess up to the truth re: the NSA and Dual_EC. I’ve just withdrawn from my panel at the RSA conference.

Thomas recently cancelled his plane ticket and withdrew from the conference. He has worked in cryptography for the Defense Department, has held top-secret security clearance and still has friends in the government. But the Reuters story, alleging that RSA accepted $10 million from the NSA to essentially put a backdoor in a product called Bsafe, was too much. Thomas said he could no longer “lend his credibility” to the RSA Conference.

“It’s just not good for business, it’s not good for the population and I don’t really want to support that at all,” he told The Wall Street Journal.

In a statement, RSA said it “categorically denies” the allegation that it entered into a “secret contract” with the NSA.

Carr, who labeled RSA’s public statement “misleading and lacking details” in a Jan. 6 blog post, said the EMC unit and the NSA were at odds in the 1990s during the so-called encryption wars. It wasn’t until after the Sept. 11 attacks that the relationships between many security companies and the government began to change, he said. “The government went to private industry and said, ‘we’re in this war against terrorism together and our country is counting on you,’ ” he added.

Now, besides boycotting the conference, he is calling for a boycott of RSA products.

Hugh Thompson, program committee chair of the RSA Conference, says the conference has a history of being neutral and that the recent allegations regarding the NSA would likely be discussed at the conference. Still, he noted that the cancellations represented a small percentage of the 500 speakers scheduled for the conference. “My personal expectation is that it’s going to be a big event and there’s going to be a lot to discuss,” said Thompson, who is chief security technologist and senior vice president at security-technology vendor Blue Coat Systems.

Marcia Hoffman, a well-known digital privacy lawyer and a nonresident fellow at the Stanford Center for Internet and Society, cancelled her RSA talk Thursday. Hoffman’s talk was titled: “The Boundary Between Privacy and Security: The NSA Prism Program.”